SQL Injection Attacks: The future of mass hacking campaigns (updated)

SQL injection attacks are evolving as the prime mode of transportation for malicious scripts that hackers wish to insert into legitimate web-sites. Typically the web-site is a vehicle for distributing Trojans through scripts crafted to exploit certain vulnerabilities on visiting PCs.

These scripts are often designed to exploit vulnerabilities that the vendor usually has a patch available for; however, if you look at it from a statistical perspective, there will be a certain percentage of users who have not patched their systems against these vulnerabilities. In addition some of these attacks have used 0-day vulnerabilities to spread malware to unsuspecting users as in the case with the recent Adobe Flash vulnerability.

In most cases the Java script code being used to execute the vulnerability is obfuscated and very difficult to perform an analysis on, thus, the real intention behind the script (exploitation of vulnerabilities) can’t be seen by the naked eye. It takes clever decoding techniques to reveal the presence of actual exploit code.

The result is extra time and effort on the part of the anti-virus lab engineer to create an effective vaccination for malware delivered through encoded Java script.

However; the average rate of infection amongst protected networks is anywhere from 70% to 75% according to research conducted by PandaLabs on over 1200 networks across the globe. This obviously raises questions concerning the level and quality of protection companies have running on their PCs.

However; little is known about the true intentions or motivations behind these mass hacking campaigns. From our perspective it’s purely business and with a profit driven approach hackers will do pretty much anything to make a buck.

So exactly how do hackers gain access to web-sites without administrative privileges or by exploiting site specific vulnerabilities? Good question! It’s quite obvious that hackers are doing this through automation as it’s impossible to hack these sites manually. Some recent hacking campaigns have shown numbers in the range of 250,000 to 500,000 sites generically compromised almost overnight. What is not entirely clear is how they are gaining access to these sites at such a high rate without really customizing the attack on a site-by-site basis.

One theory is tools that incorporate the Google API framework to automate the tasks of discovering and validating if a site may be vulnerable to a SQL injection attack; a process that normally would require a visual inspection. An example of a query string that could be used is: intitle:”<iframe src=http”. This tool would also have the capability of constructing a specific injection routine to be performed against discovered targets. Certainly there are tools out there capable of conducting automated blind SQL Injection attacks including the discovery of vulnerable targets.

Share this:

Like this:

LikeLoading...

Related

This entry was posted on Wednesday, June 11th, 2008 at 5:32 pm and is filed under General. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.